<<< Date Index >>>     <<< Thread Index >>>

IRM 017: Multiple Vulnerabilities in Infovista Portal SE



----------------------------------------------------------------------
IRM Security Advisory No. 017

Multiple Vulnerabilities in Infovista Portal SE

Vulnerability Type / Importance:        Directory Traversal / High
                                                Information Leakage / Low

Problem Discovered: January 20th 2006
Vendor Contacted: January 20th 2006
Advisory Published: February 22nd 2006  
----------------------------------------------------------------------

Abstract:

VistaPortal enables secure, browser-based access to service-centric
performance information. The easy implementation, display and design of
Portal-based dashboards and reports give accurate visibility into the
performance of the entire global IT infrastructure. VistaPortal allows users
to simultaneously view Key Performance Indicators (KPIs), real-time
performance notifications and strategic business information, from which
users can drill down to related real-time and historical reports residing in
VistaMart, the InfoVista Server and VistaTroubleshooter. VistaPortal
delivers rich, interactive content within a standards-based, open
architecture that allows seamless integration with existing applications and
easy incorporation of information into other Web Portals.
(http://www.infovista.com/products/product_list.asp#vistaportal)

Description:

PortalSE allows a remote attacker to read any file on the filesystem as it
runs with root privileges by default. It is also susceptible to a directory
revelation issue.  

Technical Details:

During a recent research engagement IRM found multiple vulnerabilites in the
Infovista PortalSE software. Using  specially crafted URLs it is possible to
read any file on the filesystem. This is due to the product running with
super-user privileges so it is possible to gain the system's password
hashes. 
 
Additionally, when selecting a non-existent server in the server field then
the response reveals a full directory path, which can be useful to an
attacker in fingerprinting the underlying operating system and directory
structure: -

An error occured while accessing the report '<nonexistentserver>_31457':
No Such Report Generated For You

[-] Hide details

/opt/InfoVista/PortalSE/files/default/<nonexistentserver>/31457/report.html
(No such file or directory)
java.io.FileNotFoundException:
/opt/InfoVista/PortalSE/files/default/<nonexistentserver>/31457/report.html
(No such file or directory)

Vendor & Patch Information:

The vendor has released a hotfix for the directory traversal issue
(IV00038969) which should be applied. The vendor does not deem the
information leakage of the directory path an issue and has not released a
hotfix for this.

Tested Versions:

PortalSE 2.0 Build 20087 on Solaris 8

Credits: 

Research & Advisory: P Robinson

Disclaimer: 

All information in this advisory is provided on an 'as is' basis in the hope
that it will be useful. Information Risk Management Plc is not responsible
for any risks or occurrences caused by the application of this information.